IT security news on the latest technology and the number one resource for your hardware and software needs.
Visit us at www.hyphenet.com

Friday, February 10, 2012

Trojan "In-the-Wild" Exploits Patched Microsoft Office Vulnerability

Once again, we’re being reminded how important it is to keep your computer’s operating system current with the latest updates and patches.

If you don’t, you may find yourself in hot water when you encounter an attack that exploits a vulnerability that wouldn’t have otherwise existed.

Researchers over at Symantec stumbled across a targeted attack that attempts to exploit a Microsoft Office vulnerability that Microsoft issued a patch for back in September (see security bulletin MS11-073).

In the attack, the victim would receive a zip file – typically named “report.zip” – via email containing two files: a Word document and a DLL file, “ftputlsat.dll.” It’s a rather interesting combination given that DLL files are rarely sent by email and the malicious DLL file carries the same name of a legitimate file that’s used for the Microsoft Office FrontPage Client Utility Library.

Image Credit: Symantec

When executed, Symantec’s researchers found that the exploit makes use of an ActiveX control embedded in the Word doc.

“When the Word document is opened, the ActiveX control calls fputlsat.dll which has the identical file name as the legitimate .dll file used for the Microsoft Office FrontPage Client Utility Library.” Joji Hamada explained in a blog post published on Thursday, “If the exploit is successful, malware is dropped onto the system.”

Once the attack has been carried out, the fputlsat.dll file is replaced with “Thumbs.db”, which is commonly created by Windows when thumbnail view is used and is typically hidden from view.